PRIVACY NOTICE FOR THE SALVIA-DK APP

We attach great importance to the security and confidentiality of personal data.
This Privacy Notice describes how SALVIA-DK collects and processes personal data in connection with the use of the SALVIA-DK App and the related services, limited to the processing activities for which SALVIA-DK acts as an independent data controller.

Unless expressly stated otherwise, this Privacy Notice does not govern the processing of personal data carried out by the Researcher or the entity promoting the study in the context of questionnaires, research activities, scientific studies, or protocols configured through the SALVIA-DK dashboard. For such processing activities, the Researcher or the entity promoting the study generally acts as the data controller and must provide its own privacy notice.

For any questions regarding the processing of personal data under this Privacy Notice, you may contact us at: salvia.dk.app@gmail.com.

1. WHEN DOES THIS PRIVACY NOTICE APPLY?

This Privacy Notice applies to the collection and processing of personal data carried out by SALVIA-DK in connection with the use of the SALVIA-DK App and the related services.

The SALVIA-DK App is a mobile application that may, as applicable, be made available through the main digital stores and may be used:
a) by app users for personal or testing purposes;
b) by participants in a study or research project who use the app to complete questionnaires or interact with features configured by the Researcher;
c) by Researchers or authorised users, to the extent that they also use the app for testing, verification, or other functions connected with the services.

This Privacy Notice relates exclusively to processing activities carried out by SALVIA-DK as an independent data controller, including, by way of example, the technical provision of the app, security, logging, abuse prevention, technical support, and legal compliance.

2. WHO ARE WE?

For the processing activities described in this Privacy Notice, SALVIA-DK acts as the data controller.

Our contact details are as follows:
Name: SALVIA-DK
E-mail: salvia.dk.app@gmail.com
[Registered or operational office, if any:] [to be inserted]
[Privacy contact / DPO, if any:] [to be inserted, if applicable]

3. WHAT PERSONAL DATA DO WE COLLECT AND PROCESS?

3.1. In order to provide the SALVIA-DK App and the related services, SALVIA-DK may collect and process, under its own responsibility, the following categories of personal data:

a) User ID
This is an internal identifier automatically assigned when the app is installed or first activated. It is used to enable the technical functioning of the service, the correct association of features, and the technical management of the user within the SALVIA-DK infrastructure.

b) Device information and technical data, which may include, depending on the circumstances:

device type;
operating system;
application version;
technical information relating to the use of the services;
technical logs;
application errors;
information necessary to identify malfunctions, prevent abuse, or ensure the security of the infrastructure.

c) Where provided for by the configuration of the study or the service, the app may process location data or indicators derived from location data.
Where such data are processed by SALVIA-DK as controller, they are limited to what is strictly necessary for the technical provision of the service, for security purposes, or for other clearly specified purposes. Where location data are processed in the context of a study configured by the Researcher, such processing generally falls under the responsibility of the Researcher or the entity promoting the study. Location data require particular caution from the perspective of minimisation and proportionality.

3.2. Researchers may use the SALVIA-DK dashboard to configure study activities, questionnaires, intensive longitudinal assessments (ESM/EMA), daily life research, mobile sensing, or ecological momentary interventions.

The personal data collected in the context of questionnaires, responses, study content, chatbot interactions, or other research features configured by the Researcher are generally processed under the responsibility of the Researcher or the entity promoting the study, which acts as the data controller. If you are a research participant, you should therefore consult the privacy notice provided by the Researcher or the entity promoting the study.

Where such data reveal information relating to physical or mental health, psychological status, or other sensitive aspects, they may constitute special categories of personal data under the GDPR and are subject to enhanced safeguards.

4. WHY DO WE COLLECT AND PROCESS PERSONAL DATA?

We collect and process your personal data for the following purposes.

4.1.

We process the personal data necessary to enable the technical functioning of the app, its proper delivery, the management of internal identifiers, the transmission of technical information, and the use of the related services.

Legal basis: performance of a contract or pre-contractual measures requested by the user.

4.2.

We may process certain technical and usage information in order to analyse technical issues, improve service quality, optimise existing features, and develop new ones. Where such processing is not strictly necessary for the provision of the service, it will only take place with your prior consent, which you may withdraw at any time without affecting the lawfulness of processing carried out prior to the withdrawal. Where possible, such information is used in aggregated or de-identified form and not to identify you directly. Where required, consent must be freely given, specific, and revocable.

4.3.

We process technical data and device information to ensure the security of the app and services, prevent unlawful use, abuse, fraud, unauthorised access, and to maintain the integrity and resilience of the infrastructure.

Legal basis: SALVIA-DK’s legitimate interest in ensuring the security, protection, and proper functioning of its services.

4.4.

We may process personal data necessary to establish, exercise, or defend a legal claim in judicial or extrajudicial proceedings.

Legal basis: legitimate interest in protecting our rights.

4.5.

We may process or disclose personal data where necessary to comply with legal, regulatory, judicial obligations, or lawful requests from competent authorities.

Legal basis: legal obligation.

5. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

As a matter of principle, we only share your personal data with parties that need to process them for purposes consistent with this Privacy Notice and subject to confidentiality and security obligations.

Your personal data may be disclosed to the following categories of recipients:
a) authorised internal personnel of SALVIA-DK;
b) providers of technical, infrastructure, hosting, maintenance, security, support, or monitoring services, appointed, where necessary, as data processors or sub-processors;
c) the University of Ferrara, to the extent that it provides hosting services or infrastructure support, if and to the extent that this is actually provided for in the service architecture;
d) public, judicial, administrative, or supervisory authorities, where required by law or by a lawful order.

All parties processing personal data on our behalf are bound by contractual or legal confidentiality and security obligations. The information provided to data subjects must clearly indicate the categories of recipients.

Where required for the functioning of the app, we may also share with the participant certain identifying details of the Researcher or the study, such as the Researcher’s name or a connection code, to the extent strictly necessary for the operation of the service.

As a matter of principle, we do not transfer your personal data outside the European Economic Area. If an international transfer becomes necessary, it will take place in compliance with the applicable law, adopting appropriate safeguards, including, where necessary, the Standard Contractual Clauses pursuant to Article 46 GDPR.

6. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We retain personal data for no longer than is necessary for the purposes for which they are processed.

In particular:

technical or internal identifiers are retained for the period necessary to provide the service and for any additional technical, security, or business continuity periods reasonably required;
device information, technical logs, and data relating to errors or malfunctions are retained for periods proportionate to the purposes of security, maintenance, support, and service improvement;
any additional data processed by SALVIA-DK as controller are retained according to criteria of necessity, proportionality, and minimisation.

When the data are no longer necessary, they are deleted or anonymised, unless their retention is required by legal obligations, orders from authorities, or the need to protect rights in legal proceedings. The GDPR requires that the retention period, or the criteria used to determine it, be communicated transparently.

7. HOW DO WE KEEP YOUR PERSONAL DATA SECURE?

The security and confidentiality of personal data are fundamental to us. We have adopted appropriate technical and organisational measures to protect personal data against destruction, loss, alteration, unauthorised disclosure, unauthorised access, or other unlawful processing.

Such measures include, where applicable:

access control and privilege limitation;
data minimisation measures and, where possible, pseudonymisation;
protection of infrastructure and systems;
logging and technical monitoring;
incident management procedures;
organisational and contractual security measures for authorised personnel and involved suppliers.

Security measures must be appropriate to the risk, taking into account the nature of the data, the purposes, and the context of the processing.

8. YOUR RIGHTS REGARDING YOUR PERSONAL DATA

Due to the technical architecture of the app and the use of indirect identifiers, SALVIA-DK may not immediately have sufficient elements to link a request to a specific data subject. In such cases, we may request additional information strictly necessary to verify the identity of the requester and properly handle the request.

You may exercise your rights by contacting us at: salvia.dk.app@gmail.com.

In particular:

Right of access
You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and the information provided for by the GDPR.

Right to rectification
You have the right to obtain the rectification of inaccurate personal data concerning you and the completion of incomplete data.

Right to erasure
You have the right to request the erasure of personal data concerning you where the conditions set out in the GDPR are met, without prejudice to the fact that we may need to retain certain data in the presence of legal obligations, security needs, or the defence of rights in legal proceedings.

Right to restriction of processing
You have the right to request the restriction of processing in the cases provided for by applicable law.

Right to object
You have the right to object, on grounds relating to your particular situation, to processing based on our legitimate interest, unless compelling legitimate grounds for the processing exist or the processing is necessary for the establishment, exercise, or defence of legal claims.

Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw it at any time.

Right to data portability
You have the right to receive, in the cases provided for by law, the personal data you have provided in a structured, commonly used, and machine-readable format.

Requests must clearly specify the right you intend to exercise and may be accompanied by the information necessary to enable us to properly identify you. We will respond without undue delay and, in any event, within the time limits provided by applicable law. The GDPR requires that information on rights be provided in a clear, accessible, and transparent manner.

You also have the right to lodge a complaint with the competent supervisory authority, in particular in the Member State where you habitually reside, work, or where the alleged infringement occurred.

9. CHANGES TO THIS PRIVACY NOTICE

We may update this Privacy Notice over time, for example to comply with legal, technical, or organisational changes, or to reflect changes in the services offered.

Where material changes significantly affect the processing of your personal data, we will inform you by appropriate means, for example through in-app notifications or other channels ordinarily used for service communications.

PRIVACY NOTICE FOR THE SALVIA-DK DASHBOARD

We attach great importance to the security and confidentiality of personal data.
This Privacy Notice describes how SALVIA-DK collects and processes personal data in connection with the use of the SALVIA-DK Dashboard and the related services, limited to the processing activities for which SALVIA-DK acts as an independent data controller.

Unless expressly stated otherwise, this Privacy Notice does not govern the processing of personal data of research participants collected, accessed, or managed by the Researcher through the Dashboard in the context of studies, questionnaires, protocols, or other research activities. For such processing activities, the Researcher or the entity promoting the study generally acts as the data controller and must provide its own privacy notice. Participant data that may be displayed or managed through the Dashboard are generally processed by SALVIA-DK as a data processor on behalf of the study controller, in accordance with the Agreement and the relevant data processing agreement. Privacy roles must be described clearly and consistently with the activities actually carried out.

1. WHEN DOES THIS PRIVACY NOTICE APPLY?

This Privacy Notice applies to the collection and processing of personal data carried out by SALVIA-DK when you use the SALVIA-DK Dashboard as a user.

The SALVIA-DK Dashboard is a web platform accessible through authentication and made available for the management of studies, questionnaires, and related services.

For the purposes of this Privacy Notice, the Dashboard user is generally:
a) a Researcher;
b) an employee, collaborator, subcontractor, or authorised representative of a university, entity, research institute, healthcare facility, or other organisation using the Dashboard;
c) another authorised user accessing the Dashboard for technical, organisational, or support purposes connected with the Services.

This Privacy Notice relates exclusively to processing activities carried out by SALVIA-DK as an independent data controller with regard to Dashboard user data, such as account creation and management, security, logging, abuse prevention, technical support, and legal compliance. The information provided to data subjects must be concise, transparent, intelligible, and easily accessible.

2. WHO ARE WE?

For the processing activities described in this Privacy Notice, SALVIA-DK acts as the data controller.

Our contact details are as follows:
Name: SALVIA-DK Software
E-mail: salvia.dk.app@gmail.com
[Registered or operational office, if any:] [to be inserted]
[Privacy contact / DPO, if any:] [to be inserted, if applicable]

3. WHAT PERSONAL DATA DO WE COLLECT AND PROCESS?

In order to provide the SALVIA-DK Dashboard and the related services, we may collect and process, under our responsibility, the following categories of personal data relating to Dashboard users:

3.1. Identifying and professional information of the user

These are the information required from or associated with the user at the time of registration, activation, or use of the Dashboard, including, by way of example:

first and last name;
professional or institutional email address;
affiliation, entity, or institution of reference;
any additional professional data necessary for account management and the relationship with the user.

3.2. Researcher account credentials and access data

These are the data necessary to identify the authorised user and allow access to the Dashboard and related services, including:

account identifier;
authentication credentials;
information relating to access, sessions, and account security;
technical logs and audit data connected with the use of the Dashboard.

3.3. Connection codes and study codes

These are codes or unique identifiers associated with the study or the account, used to enable technical management, the association between the study and authorised users, and, where necessary, communication with participants or with the SALVIA-DK App.

3.4. Technical and Dashboard usage data

We may also process technical data relating to the use of the Dashboard, such as:

IP address and other online identifiers, where processed;
browser type and operating system;
date and time of access;
application errors, technical events, and system logs;
metadata strictly necessary for the security, maintenance, and proper functioning of the platform.

3.5. Data relating to study content

The Dashboard may allow the Researcher to create, upload, or manage questionnaires, study configurations, codes, participant information, and research results. Such content, where it contains personal data of participants or other information processed in the context of the study, is generally processed by SALVIA-DK as a data processor on behalf of the study controller and does not fall, except for strictly necessary technical aspects, within the scope of this Privacy Notice. The information provided to data subjects must clearly distinguish the purposes and roles of the processing.

4. WHY DO WE COLLECT AND PROCESS PERSONAL DATA?

We collect and process the personal data of the Dashboard user for the following purposes.

4.1.

We process personal data to enable account creation and management, access to the Dashboard, study configuration, management of available functionalities, technical support, and the provision of related services.

Legal basis: performance of a contract or pre-contractual measures requested by the user.

4.2.

We may process technical and Dashboard usage data in order to analyse technical problems, optimise stability, improve the user experience, develop or correct functionalities, and maintain the platform efficiently.

Legal basis: SALVIA-DK’s legitimate interest in ensuring the proper functioning, efficiency, and continuous improvement of the Dashboard, in compliance with the principles of minimisation and proportionality. The type and amount of data processed must be appropriate to the purpose pursued. Where specific additional processing activities require the user’s consent under applicable law, they will only be carried out after obtaining such consent.

4.3.

We process personal data to ensure that the Dashboard and related services are used in compliance with the law, the contractual terms, and security rules, and to prevent abuse, unauthorised access, fraud, or other unlawful uses.

Legal basis: SALVIA-DK’s legitimate interest in the security and protection of the platform and services.

4.4.

We may process personal data necessary to establish, exercise, or defend a legal claim in judicial or extrajudicial proceedings.

Legal basis: legitimate interest in protecting our rights.

4.5.

We may process or disclose personal data where necessary to comply with legal, regulatory, judicial obligations, or lawful requests from competent authorities.

Legal basis: legal obligation. Privacy notices must clearly indicate the purposes and legal basis of each processing activity.

5. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

As a matter of principle, we only share the personal data of the Dashboard user with parties that need to process them for purposes consistent with this Privacy Notice and subject to confidentiality and security obligations.

Personal data may be disclosed to the following categories of recipients:
a) authorised internal personnel of SALVIA-DK;
b) providers of technical, infrastructure, hosting, maintenance, security, support, or monitoring services, appointed, where necessary, as data processors or sub-processors;
c) the University of Ferrara, to the extent that it provides hosting services or infrastructure support, if and to the extent that this corresponds to the actual architecture of the service;
d) public, administrative, judicial, or supervisory authorities, where required by law or by a lawful order.

To the extent necessary for the functioning of the platform, certain information relating to the study or the Researcher, such as the Researcher’s name or the study code, may also be made available to participants or to other users connected with the study, where required by the service configuration.

All parties processing personal data on our behalf are bound by contractual or legal confidentiality and security obligations. The categories of recipients must be clearly disclosed to data subjects.

6. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

We retain personal data for no longer than is necessary for the purposes for which they are processed. In particular:

identifying and professional information of the Dashboard user are retained for the duration of the relationship and for any additional technical, administrative, security, or defence-related periods reasonably required;
credentials, access logs, and technical usage data are retained for periods proportionate to the purposes of authentication, security, maintenance, audit, and support;
study codes and technical identifiers associated with the account or the study are retained for the period necessary for the management of the study, the platform, and the related technical or organisational obligations.

When the data are no longer necessary, they are deleted or anonymised, unless their retention is required by legal obligations, orders from authorities, or the need to protect rights in legal proceedings. The GDPR requires that the retention period, or at least the criteria used to determine it, be indicated.

7. HOW DO WE KEEP YOUR PERSONAL DATA SECURE?

access control and management of authorisation profiles;
limitation of privileges according to the user’s role;
protection of infrastructure, systems, and credentials;
logging, technical monitoring, and audit trail;
incident management procedures;
internal policies and contractual confidentiality measures for personnel and suppliers.

Security measures must be appropriate to the risk and the nature of the data processed.

8. YOUR RIGHTS REGARDING YOUR PERSONAL DATA

Under the GDPR, you have the right to exercise, within the limits of the law, the rights of access, rectification, erasure, restriction of processing, objection, withdrawal of consent, and, where applicable, data portability. Requests and responses relating to data subjects’ rights must be handled free of charge, transparently, and in an easily accessible manner, except where otherwise provided by law.

You may exercise your rights by contacting us at: salvia.dk.app@gmail.com.

In particular:

Right to rectification
You have the right to obtain the rectification of inaccurate personal data concerning you and the completion of incomplete data.

Right to restriction of processing
You have the right to request restriction of processing in the cases provided for by applicable law.

Right to withdraw consent
Where processing is based on your consent, you have the right to withdraw it at any time.

Right to data portability
You have the right to receive, in the cases provided for by law, the personal data you have provided in a structured, commonly used, and machine-readable format.

You also have the right to lodge a complaint with the competent supervisory authority, in particular in the Member State where you habitually reside, work, or where the alleged infringement occurred.

9. CHANGES TO THIS PRIVACY NOTICE

We may update this Privacy Notice over time, for example to comply with legal, technical, or organisational changes or to reflect changes in the services offered. Where material changes significantly affect the processing of your personal data, we will inform you by appropriate means, for example through a notification on the Dashboard or by email. We encourage you to consult the most up-to-date version of this Privacy Notice periodically.